Trend Mirco-Chang-MC2

VAST 2012 Challenge
Mini-Challenge 2:

 

 

Team Members:

 

Hanwen Chang, Trend Micro, hanwen_chang@trend.com.tw  PRIMARY

Junyu Chen, Trend Micro, junyu_chen@trend.com.tw

Jeff C Huang, Trend Micro, jeff_c_huang@trend.com.tw

Beti Chiang, Trend Micro, beti_chiang@trend.com.tw 

Mear Kuo, Trend Micro, mear_kuo@trend.com.tw

 

Student Team: No

 

Tool(s):

 

Microsoft Excel

Notepad++

Tableau

 

Video: TrendMicro

 

 

Answers to Mini-Challenge 2 Questions:

 

MC 2.1 Using your visual analytics tools, can you identify what noteworthy events took place for the time period covered in the firewall and IDS logs? Provide screen shots of your visual analytics tools that highlight the five most noteworthy events of security concern, along with explanations of each event.

Here are the five noteworthy events,

1.       Potential Port Scan in the network

After visualized the destination services during these two days, we found there are some interesting lines on this graph. Horizontal orange line means a port was continuously used in this company. From firewall log, 80 and 6667 are the most frequently used port. Besides, it is also clear to see there are some slashes on the graph. Since the port was sorted by number, this looked like there was a program were triggered to scan port, such as a for loop. That means there was someone tried to build connection through different ports in a short period of time.

We checked the top source IP and found they were from corporate firewall and external IP. After filtered corporate firewall (10.32.0.100), we could see that corporate firewall connected to internal IP through unreasonable amount of different ports and these ports were denied in the firewall which indicated these ports are illegal in the Bank of Money.

The internal IP that corporate firewall tried to connect are distributed in 172.28.x.x. We are not sure which location these IP represent, it looked like internal IP. In additional, these connections seemed periodically happened during 6:00 P.M. ~ 12:15 A.M. in the past two days. Although all the connections were denied, this abnormal behavior indicated corporate firewall might be compromised.

 

2.      172.23.231.69 tried to connect firewall by using different method, such as telnet, database ports. This IP triggered not only brute force attack rules, but also information leak rules.

From IDS log, all the possible brute force attack alerts (Rule 1:2002992:6, 1:2002993:6, 1:2002994:6, 1:2002995:6) were triggered from one IP, 172.23.239.69. So, we looked up network activities of 172.23.231.69 and found that, in addition to brute force attack, this IP also triggered other rules which concerned as attempted information leak (Rule 1:1418:11, 1:2001219:18, 1:2002910:4, 1:2002911:4, 1:2003068:6) and it also tried to connect to firewall by using database port such us 3306, 1521, 5432 and 1433. It triggered 15 different rules in total and consumed 27 different ports.

We assumed that 172.23.231.69 might be IT administrator who needs to access multiple services in the company, so we checked the traffic of this IP in the firewall logs. We found a very interesting connection status about 172.23.231.69. This IP tried to connect to regional firewall through ports which are not typical services of firewall, such as 22_tcp (SSH), 23 telnet, 161_tcp. The most suspicious behavior was the timing. These connections happened almost in the same time. The purpose of requesting these service in a minutes will be a very interesting question for IT administrator to dig out.

On the other hand, the IP also connected to external IP. If those external IP shows malicious behavior, 173.23.231.69 might be a bot which controlled by attackers and try to access internal data.

 

3.      6667 port was blocked in the firewall when external IP send request to internal IP, however, there was still a huge amount of Internal IP talked to external IP by using IRC 6667 port.

From the IDS log, there was considerable traffic about IRC connection. After check all the traffic about IRC 6667, we found all of source IP are from external IP (10.32.5.51~59). One thing is highly possible is these IPs are IRC servers. Since this region just configured and transitioned to the 24-hour call center, online Internet chatting might be normal business service. However, the destination port status did not looks normal to support the assumption. There were 7573 different ports that these external used to connect to internal IP. External IP, 10.32.5.51~59, were considered as suspicious sources.

 

To verify our assumption, we checked these external IP traffic in the firewall log. We found those external IP who send request through 6667 almost were blocked by firewall. From the graph, most of connections were denied, unless their destination port is 6667 as well. There were total 12 connections built from source 6667 to destination 6667.

 

On the other hand, we checked these external IP (10.32.5.51~59) as destination IP, we could see there are other services on these servers. The following image shows internal IP request ftp, and 22_tcp service, http and IRC service. Although 6667 inbound traffic was blocked, but internal IP keep sending IRC request to external IP.

 

4.      Regional DNS server connected to Financial Server SNAT through many UDP ports, NetBIOS Name service and LDAP service.

Regional DNS server tried to talk to Financial Server SNAT through many different UDP ports, which might also be a potential port scan behavior. Besides, DNS requested NetBIOS Name Service (through port 137, 138) and LDAP services through 389. These services were not normal connection and services between a DNS server and SNAT server.

 

5.      IP which triggered “Attempted information leak” has the same behaviors as suspicious IP 172.23.231.69.

We tried to look up the activities about “attempted information leak” since these might be data leakage events. We found these alerts were triggered five internal IP were distributed in different IP segment. Besides triggered similar type of IDS rule, they all tried to connect to Regional firewall. Anyone could request firewall, but it is important to look at which service they request firewall. So we look back to the firewall log again, and found some interesting ports and numbers. All of them tried to request ftp, telnet, http, https service from firewall, and all of these services were denied by ACL which means they were not admin machine which got permission.

On the other hand, different machines appeared very similar behaviors and one of it has been considered as suspicious IP from previous investigation. Not only the timing of requesting destination is very close, the counts are the exactly the same.

 

MC 2.2 What security trend is apparent in the firewall and IDS logs over the course of the two days included here? Illustrate the identified trend with an informative and innovative visualization.

2.2.1        All IDS alerts were periodically trigger during 00:00-0:100 which indicates abnormal behavior in the intranet. If there is no routine work in Bank of Money, it might be a potential threat risk in the intranet.

2.2.2        The amount of traffic dramatically reduced from 14:00. After that there is no traffic since 17:24~17:45. Network service might stop during this time no matter which reason and back at 17:45.

2.2.3        Unknown empty event. It seems that there is an unknown service was triggered periodically, almost every 10 minutes.

 

MC 2.3 What do you suspect is (are) the root cause(s) of the events identified in MC 2.1? Understanding that you cannot shut down the corporate network or disconnect it from the internet, what actions should the network administrators take to mitigate the root cause problem(s)?

2.3.1        Potential Port Scan in the network

Two source types showed this port scan behavior, they are corporate firewall and external IP. Although all these traffic were denied, it is suggested to block these external IPs. For the corporate firewall, since this is an internal server which might affect intranet. It is highly recommended to conduct a thorough virus scan on corporate firewall.

 

2.3.2        172.23.231.69 tried to connect firewall by using different method, such as telnet, database ports. This IP triggered not only brute force attack rules, but also information leak rules.

 

172.23.231.69 triggered many suspicious request to regional firewall, and also keep talk to external IP through 6667 port. IT administrator needs to block this IP and check who the owner of this workstation is. Beside virus scan, also check the vulnerabilities and update patches.

Since 172.23.231.69 seems target regional firewall, it is also recommended to check regional firewall detection and infection status in virus log.

 

2.3.3        6667 port was blocked in the firewall when external IP send request to internal IP, however, there was still a huge amount of Internal IP talked to external IP by using IRC 6667 port.

It seems that there were great amount of internal IP talked to 10.32.5.51~59 by using 6667_IRC port. Since this region has been configured as call center, IRC connection might be used for business activities. Two directions were suggested to investigate.

-          Check what application in this region that user IRC port, and see if that is a legal application that is used for customer service.

-          Check external IP 10.32.5.51~59, see if they were legal IRC server that support business operations. If not, administrator should block these IP immediately to stop any connection to these IPs.

-          In the all connection, there are 12 built cases from port 6667 to port 6667, which means successful IRC connections. Administrator should investigate the 12 source workstations to see if the IRC connections are triggered by user’s intentions.

 

2.3.4        Regional DNS server connected to Financial Server SNAT through many UDP ports, NetBIOS Name service and LDAP service.

For the UDP port connection, Microsoft has confirmed that this is a problem after applied MS08-037. According to Microsoft KB, by default, after security update 953230 is installed, the DNS Server service randomly allocates 2,500 ports in the ephemeral port range. This is new behavior that is introduced by this update. So, this is not a security issue and administrator could mitigation this according what Microsoft suggested.

However, for other service, such as netBIOS and LDAP service, administrator needs to look up if corporate headquarters datacenter provides file sharing service. If not, it is suggestion to block this port on the DNS server to prevent suspicious usage.

 

2.3.5        IP which triggered “Attempted information leak” has the same behaviors as suspicious IP 172.23.231.69.

Since these actions had been denied by firewall, there is no emergency to take action on firewall. However, IT administrators need to look up more detail on these machines to know the purpose of accessing firewall. Here are some important questions the IT administrator need to answer,

-          Who was trying to access firewall without permission? Is it business activity?

-          Which application were these requests triggered by?

-          Why did those machines from different segment all behave the same?

Here are the actions that IT administrator could take for these machines,

-          Conduct manual scan for these machine.

-          Update OS patches

-          Keep monitoring the traffic of these IP, especially for their external traffic.